Edit

Share via

Tutorial: Configure vaulted backup for Azure Blobs using Azure Backup

  • Article

This tutorial describes how to create a backup policy and configure vaulted backup for Azure Blobs from the Azure portal.

Azure Backup now allows you to configure both operational and vaulted backups to protect block blobs in your storage accounts.

Vaulted backup of blobs is a managed offsite backup solution that stores the backup data in a general v2 storage account, enabling you to protect your backup data against ransomware attacks or source data loss due to malicious or rogue admin.

With vaulted backup, you can:

  • Define the backup schedule to create recovery points and the retention settings that determine how long the backups will be retained in the vault.
  • Configure and manage the vaulted and operational backups using a single backup policy.
  • Copy and store the backup data in the Backup vault, thus providing an offsite copy of data that can be retained for a maximum of 10 years.

Prerequisites

Before you configure blob vaulted backup, ensure that:

  • You have a Backup vault to configure Azure Blob backup. If you haven't created the Backup vault, create one.
  • You assign permissions to the Backup vault on the storage account. Learn more.

Before you start

Things to remember before you start configuring blob vaulted backup:

  • Vaulted backup of blobs is a managed offsite backup solution that transfers data to the backup vault and retains as per the retention configured in the backup policy. You can retain data for a maximum of 10 years.
  • Currently, you can use the vaulted backup solution to restore data to a different storage account only. While performing restores, ensure that the target storage account doesn't contain any containers with the same name as those backed up in a recovery point. If any conflicts arise due to the same name of containers, the restore operation fails.
  • Storage accounts to be backed up need to have cross-tenant replication enabled. To ensure if the checkbox for this setting is enabled, go to the storage account > Object replication > Advanced settings.

For more information about the supported scenarios, limitations, and availability, see the support matrix.

Create a backup policy

A backup policy defines the schedule and frequency of the recovery points creation, and its retention duration in the Backup vault. You can use a single backup policy for your vaulted backup, operational backup, or both. You can use the same backup policy to configure backup for multiple storage accounts to a vault.

To create a backup policy, follow these steps:

  1. Go to Backup center > Overview, and then select + Policy.

    Screenshot shows how to initiate adding backup policy for vaulted blob backup.

  2. On the Start: Create Policy page, select the Datasource type as Azure Blobs (Azure Storage), and then select Continue.

    Screenshot shows how to select datasource type for vaulted blob backup.

  3. On the Create Backup Policy page, on the Basics tab, enter a Policy name, and then from Select vault, choose a vault you want this policy to be associated.

    Screenshot shows how to add vaulted blob backup policy name.

    Review the details of the selected vault in this tab, and then select Next.

  4. On the Schedule + retention tab, enter the backup details of the data store, schedule, and retention for these data stores, as applicable.

    1. To use the backup policy for vaulted backups, operational backups, or both, select the corresponding checkboxes.
    2. For each data store you selected, add or edit the schedule and retention settings:
      • Vaulted backups: Choose the frequency of backups between daily and weekly, specify the schedule when the backup recovery points need to be created, and then edit the default retention rule (selecting Edit) or add new rules to specify the retention of recovery points using a grandparent-parent-child notation.
      • Operational backups: These are continuous and don't require a schedule. Edit the default rule for operational backups to specify the required retention.

    Screenshot shows how to configure vaulted blob backup schedule and retention.

  5. Select Review + create.

  6. Once the review is successful, select Create.

Configure backups

You can use a single backup policy to back up one or more storage accounts to the same vault in an Azure region.

To configure backup for storage accounts, follow these steps:

  1. Go to Backup center > Overview, and then select + Backup.

    Screenshot shows how to initiate vaulted blob backup.

  2. On the Initiate: Configure Backup blade, choose Azure Blobs (Azure Storage) as the Datasource type.

    Screenshot shows how to initiate configuring vaulted blob backup.

  3. On the Configure Backup page, on the Basics tab, choose Azure Blobs (Azure Storage) as the Datasource type, and then select the Backup vault that you want to associate with your storage accounts as the Vault.

    Review the Selected backup vault details, and then select Next.

    Screenshot shows how to select datasource type to initiate vaulted blob backup.

  4. On the Backup policy tab, select the backup policy you want to use for retention. You can also create a new backup policy, if needed.

    Review the Selected policy details, and then select Next.

    Screenshot shows how to select policy for vaulted blob backup.

  5. On the Configure Backup page, on the Datasources tab, select the storage accounts you want to back up.

    You can select multiple storage accounts in the region to back up using the selected policy. Search or filter the storage accounts, if required.

    If you've chosen the vaulted backup policy in step 4, you can also select specific containers to back up. Select Change under the Selected containers column. In the context blade, choose browse containers to backup and unselect the ones you don't want to back up.

    When you select the storage accounts and containers to protect, Azure Backup performs the following validations to ensure all prerequisites are met.

    Note

    The Backup readiness column shows if the Backup vault has enough permissions to configure backups for each storage account.

    1. The number of containers to be backed up is less than 100 in case of vaulted backups. By default, all containers are selected; however, you can exclude containers that shouldn't be backed up. If your storage account has >100 containers, you must exclude containers to reduce the count to 100 or below.

      Note

      In case of vaulted backups, the storage accounts to be backed up must contain at least 1 container. If the selected storage account doesn't contain any containers or if no containers are selected, you may get an error while configuring backups.

    2. The Backup vault has the required permissions to configure backup; the vault has the Storage account backup contributor role on all the selected storage accounts. If validation shows errors, then the selected storage accounts don't have Storage account backup contributor role. You can assign the required role, based on your current permissions. The error message helps you understand if you have the required permissions, and take the appropriate action:

      • Role assignment not done: Indicates that you (the user) have permissions to assign the Storage account backup contributor role and the other required roles for the storage account to the vault.

        Select the roles, and then select Assign missing roles on the toolbar to automatically assign the required role to the Backup vault, and trigger an autorevalidation.

        If the role propagation takes more than 10 minutes, then the validation will fail. In this scenario, you need to wait for a few minutes and select Revalidate to retry validation.

      • Insufficient permissions for role assignment: Indicates that the vault doesn't have the required role to configure backups, and you (the user) don't have enough permissions to assign the required role. To make the role assignment easier, Azure Backup allows you to download the role assignment template, which you can share with users with permissions to assign roles for storage accounts.

        Note

        The template contains details for selected storage accounts only. If there are multiple users that need to assign roles for different storage accounts, you can select and download different templates accordingly.

  6. To assign the required roles, select the storage accounts, and then select Download role assignment template to download the template. Once the role assignments are complete, select Revalidate to validate the permissions again, and then configure backup.

    Screenshot shows that the role assignment is successful.

  7. Once validation succeeds, select the Review + configure tab.

  8. Review the details on the Review + configure tab and select Next to initiate the configure backup operation.

You'll receive notifications about the status of protection configuration and its completion.

Next step

Restore Azure Blobs using Azure Backup.